I think I've cracked it using a reverse_nested aggregation, and putting the date_histogram within that:
"aggs": {
"1": {
"nested": {
"path": "field"
},
"aggs": {
"2": {
"terms": {
"field": "field.key"
},
"aggs": {
"3": {
"reverse_nested": {},
"aggs": {
"4": {
"date_histogram": {
"field": "@timestamp",
"extended_bounds": {
"max": "now/h",
"min": "now/h-1d"
},
"interval": "hour",
"min_doc_count": 0
}
}
}
}
}
}
}
}
},